I'm trying to setup a GRE tunnel for an anti-dos solution for my Minecraft hosting.
Server A is the server which forwards the connections to the backend server. Server B is the backend server.
Whenever I connect to a normal Minecraft server on server B through server A, it works as expected.
But when trying to connect to a Minecraft server through a bungeecord (proxy) server, with server A's public/external ip address, then it won't forward the connection. It will, however, connect if I use server B's public/external ip address (it will use lo). But using this will of course render the entire anti-dos pointless.
So my question, how do I make it possible to forward the connection when using server A's public/external ip address for the bungeecord (proxy) and Minecraft server
I used this Hetzner guide to setup the GRE tunnel.
All minecraft instances are running in Pterodactyl, and also docker, The docker containers run in host network mode.
Active iptables, ip addr, rule and rout on server A:
root@tnode1:~# iptables -L
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 10.2.0.2 state NEW,RELATED,ESTABLISHED
ACCEPT all -- 10.2.0.2 anywhere state NEW,RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@tnode1:~# iptables -t nat -L
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere vps-9cb92e40.vps.ovh.net tcp dpts:25565:65535 to:10.2.0.2
DNAT udp -- anywhere vps-9cb92e40.vps.ovh.net udp dpts:25565:65535 to:10.2.0.2
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 10.2.0.0/30 anywhere to:external.ip.server.a
root@tnode1:~# iptables -t mangle -L
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
root@tnode1:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether fa:16:3e:f4:a7:2f brd ff:ff:ff:ff:ff:ff
altname enp0s3
inet external.ip.server.a/sub brd broadcast.ip.server.a scope global ens3
valid_lft forever preferred_lft forever
3: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default qlen 1000
link/gre 0.0.0.0 brd 0.0.0.0
4: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group default qlen 1000
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
5: erspan0@NONE: <BROADCAST,MULTICAST> mtu 1450 qdisc noop state DOWN group default qlen 1000
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
6: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue state UNKNOWN group default qlen 1000
link/gre external.ip.server.a peer external.ip.server.b
inet 10.2.0.1/30 scope global gre1
valid_lft forever preferred_lft forever
root@tnode1:~# ip rule
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
root@tnode1:~# ip route
default via default.gateway.server.a dev ens3 onlink
10.2.0.0/30 dev gre1 proto kernel scope link src 10.2.0.1
Active iptables, ip addr, rule and rout on server B:
root@node1:~# iptables -L
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
root@node1:~# iptables -t nat -L
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 172.17.0.0/16 anywhere
Chain DOCKER (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere
root@node1:~# iptables -t mangle -L
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
root@node1:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: enp8s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether a8:a1:59:94:15:bc brd ff:ff:ff:ff:ff:ff
inet external.ip.server.b/sub brd broadcast.ip.server.b scope global enp8s0
valid_lft forever preferred_lft forever
3: enp8s0.4000@enp8s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1400 qdisc noqueue state UP group default qlen 1000
link/ether a8:a1:59:94:15:bc brd ff:ff:ff:ff:ff:ff
inet 10.1.0.2/24 brd 10.1.0.255 scope global enp8s0.4000
valid_lft forever preferred_lft forever
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:a3:d6:7d:49 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
5: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default qlen 1000
link/gre 0.0.0.0 brd 0.0.0.0
6: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group default qlen 1000
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
7: erspan0@NONE: <BROADCAST,MULTICAST> mtu 1450 qdisc noop state DOWN group default qlen 1000
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
8: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue state UNKNOWN group default qlen 1000
link/gre external.ip.server.b peer external.ip.server.a
inet 10.2.0.2/30 scope global gre1
valid_lft forever preferred_lft forever
root@node1:~# ip rule
0: from all lookup local
32765: from 10.2.0.0/30 lookup GRE
32766: from all lookup main
32767: from all lookup default
root@node1:~# ip route
default via default.gateway.server.b dev enp8s0 onlink
10.0.0.0/16 via 10.1.0.1 dev enp8s0.4000
10.1.0.0/24 dev enp8s0.4000 proto kernel scope link src 10.1.0.2
10.2.0.0/30 dev gre1 proto kernel scope link src 10.2.0.2
default.gateway.server.b/sub dev enp8s0 proto kernel scope link src external.ip.server.b
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
I've been working on this for a few days now, does anyone know a solution to this? Thanks in advanced!